READY TO TRY DATASTAX?
Spin up a cluster in the cloud with DataStax Astra, the best way to get started with Cassandra in just a few clicks with 10 GB for free!
New Survey: Leveraging real-time data delivers higher revenue growth and increased developer productivity. Learn more.
Security is a priority for all modern cloud applications, and as such, DataStax has implemented several protocols to ensure security remains a priority.
DataStax has a software development policy that requires code reviews on all code before it is checked into our code repository. This policy includes a review for security-related issues.
DataStax has retained external security experts to code review our security features. Based on their analysis, we made improvements and added features such as support for off-server key storage. External validation is an ongoing process that we use to double-check our own efforts.
The DataStax Test Engineering team routinely scans our software with the SRC:CLR product to itemize the content of our software and match publicly known vulnerabilities to code. In addition to scanning our codebase, DataStax monitors the National Vulnerability Database and US-CERT activity. The results of code scans and NVD and US-CERT monitoring are fed back into the development team for review and, if applicable, patches are created. The Vulnerability Reporting tab contains a list of recently identified issues and their disposition.
DataStax Enterprise provides standard security and advanced features, which allow you to build security in your application stack. Relevant features include:
Easily create users with RDBMS style syntax.
Integrate DSE into your existing security infrastructure with its Kerberos, LDAP, and Active Directory support.
Use the familiar and easy GRANT/REVOKE paradigm to assign permissions to your database users and ensure no data can be improperly accessed.
Protect data as it’s sent from clients to a database cluster or when it’s transferred between nodes so that it cannot be intercepted and stolen.
DataStax provides functionality in its drivers, such as parameterized statements, to help you prevent attacks similar to SQL Injection attacks.
Secure data at rest with complete application transparency using preferred encryption capabilities that prevent unauthorized data access.
Track all user activity in a database cluster including login attempts so data breach attempts can be identified and stopped.
DSE Advanced Security delivers key features needed to support PCI and SOX compliance requirements.
DSE Advanced Security extends to all nodes in a DSE cluster, including those used for running analytics, search, and in-memory computing workloads on Cassandra data.
DataStax Enterprise (DataStax Enterprise server, DataStax OpsCenter, DataStax DevCenter, DataStax Developer Studio, and the DataStax Drivers) is provided to customers as a software bundle to be self-deployed by customers on their choice of hardware or cloud platform. As such, DataStax and its employees do not have direct access to the data a customer has stored in DataStax Enterprise or to any production customer systems.
In the course of offering support and services, it may be necessary for DataStax employees to have limited access or visibility to customer production systems or technical log files. Access to this information is at the sole discretion and invitation of the customer.
DataStax maintains small engineering data centers co-located with developers for use in product development and testing. No customer data is stored in any system running in these datacenters. The data centers are secured by a physical key, electronic access key or both. Electronic access is logged and monitored. A video camera records motion and access to the DataStax datacenter located at DataStax headquarters. An alarm system is installed at all on-premises datacenters and DataStax headquarters.
DataStax headquarters is protected by a security station with security personnel at the front desk lobby. Key fob security badges are required for building access and elevator floor access during non-business hours at DataStax headquarters. Key fob security badges are surrendered and deactivated upon employee termination.
DataStax enforces the rule of least privilege for IT systems. Access to designated systems is limited to personnel for whom access is required based on job function. Data on DataStax customers is restricted to individuals who require system access to perform job functions. Access lists for key corporate systems are audited quarterly. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols (SFTP, SSH etc.) are used to transfer data from one system endpoint to another.
DataStax conducts criminal background checks on all of its employees prior to commencement of employment.
Employee computers are password protected and the default configuration for such devices causes the devices to be automatically locked after 10 minutes of inactivity. All employee computers are installed with anti-virus software. Employees are provided with a tool to backup/sync company data to either a physical local location or to cloud storage. Each employee receives a laptop computer with an assigned unique company asset tag for identification. DataStax employees are required to contact IT in an event of laptop theft or loss.
DataStax will notify customers of any security breach which involved their data as soon as practicable, but no later than twenty-four hours after DataStax becomes aware of it. This applies to information stored in its own systems as well as the systems of its vendors.
An important strategy DataStax uses in building secure applications and secure web experiences is to respond to vulnerability reports. The information you submit is taken very seriously and appreciated at the highest levels.
You can submit your findings using the link below.
DataStax Enterprise incorporates code from several Apache Software Foundation (ASF) projects, such as Apache Cassandra™, Apache Spark, and Apache Solr. Vulnerabilities affecting ASF software products should also be reported directly to the project. Details on reporting those vulnerabilities to the ASF can be found here.