DataStax Enterprise Security

Summary

Security is a critical consideration of any enterprise software project. Because DataStax Enterprise is the data platform for cloud applications for some of the world's most visible and demanding software applications, we take security seriously and have implemented several formal programs to make security a priority. Security is a dynamic field; therefore DataStax regularly reviews and updates these programs based on changes in our products, industry standards, and emerging threats.

DataStax Software Development Security Program

The DataStax Software Development Security Program (DSDSP) integrates security into our engineering processes with the goal of making our products as secure as possible. It covers the design, development, and testing of DataStax Enterprise with a focus on reducing the likelihood that DataStax's products will serve as the entry point for an attack or intrusion.

Enabling Security Best Practices

This program is focused on giving DataStax Enterprise the features needed for developers to build secure applications that remain secure in operation. It covers everything from encryption of data at rest to helping developers prevent "CQL Injection" attacks.

Corporate Security

This program is focused on reducing the likelihood of data breaches for DataStax internal IT systems through physical or electronic means as well as the maintenance of our security policies.

Vulnerability Reporting

This program covers transparent vulnerability reporting and status for DataStax Enterprise.

Last Updated June 1, 2017

DataStax Software Development Security Program

The DataStax Software Development Security Program (DSDSP) is DataStax's methodology to build security into our products.

Developer Training

As part of our on-boarding process, all newly-hired software engineers are required to take online secure coding training from SAFECode.

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.


Modules taken (below) depend on the product area in which the developer works:

Secure Coding Standards

DataStax has a software development policy that requires code reviews on all code before it is checked into our code repository. This policy includes a review for security related issues.

Expert / External Review

DataStax has retained external security experts to code review our security features. Based on their analysis, we made improvements and added features such as support for off-server key storage. External validation is an ongoing process that we use to double check our own efforts.

Code Scanning and Vulnerability Monitoring

The DataStax Test Engineering team routinely scans our software with the SRC:CLR product to itemize the content of our software and match publicly known vulnerabilities to code. In addition to scanning our codebase, DataStax monitors the National Vulnerability Database and US-CERT activity. The results of code scans and NVD and US-CERT monitoring are fed back into the development team for review and, if applicable, patches are created. The Vulnerability Reporting tab contains a list of recently identified issues and their disposition.

Enabling Security Best Practices

DataStax Enterprise provides standard security and advanced features, which allow you to build security in your application stack. Relevant features include:
Internal Authentication
Easily create users with RDBMS style syntax.
External Authentication
Integrate DSE into your existing security infrastructure with its Kerberos, LDAP, and Active Directory support.
Permission Management
Use the familiar and easy GRANT/REVOKE paradigm to assign permissions to your database users and ensure no data can be improperly accessed.
Client-to-Node/Node-to-Node Encryption
Protect data as it’s sent from clients to a database cluster or when it’s transferred between nodes so that it cannot be intercepted and stolen.
Driver Features
DataStax provides functionality in its drivers, such as parameterized statements, to help you prevent attacks similar to SQL Injection attacks.
Transparent Data Encryption
Secure data at rest with complete application transparency using preferred encryption capabilities that prevent unauthorized data access.
Data Auditing
Track all user activity in a database cluster including login attempts so data breach attempts can be identified and stopped.
PCI and SOX Compliance Support
DSE Advanced Security delivers key features needed to support PCI and SOX compliance requirements.
Uniform Security Coverage
DSE Advanced Security extends to all nodes in a DSE cluster, including those used for running analytics, search, and in-memory computing workloads on Cassandra data.

Scope

DataStax Enterprise (DataStax Enterprise server, DataStax OpsCenter, DataStax DevCenter, DataStax Developer Studio, and the DataStax Drivers) is provided to customers as a software bundle to be self-deployed by customers on their choice of hardware or cloud platform. As such, DataStax and its employees do not have direct access to the data a customer has stored in DataStax Enterprise or to any production customer systems. In the course of offering support and services it may be necessary for DataStax employees to have limited access or visibility to customer production systems or technical log files. Access to this information is at the sole discretion and invitation of the customer.

Physical Security

DataStax maintains small engineering data centers co-located with developers for use in product development and testing. No customer data is stored in any system running in these datacenters. The datacenters are secured by a physical key, electronic access key or both. Electronic access is logged and monitored. A video camera records motion and access to the DataStax datacenter located at DataStax headquarters. An alarm system is installed at all on-premises datacenters and DataStax headquarters. DataStax headquarters is protected by a security station with security personnel at the front desk lobby. Key fob security badges are required for building access and elevator floor access during non-business hours at DataStax headquarters. Key fob security badges are surrendered and deactivated upon employee termination.

Information Systems

DataStax uses several cloud-based technology vendors to support company operations. These vendors have separate security policies that govern the protection of DataStax data in their possession. Relevant vendors and their security policies are listed below.
 
Service Security Information
Google DataStax uses Google Apps for Business for internal messaging and document handling. Google provides security and privacy for its services as outlined in their Security and Privacy documentation. In addition, DataStax implements Google services following best practices such as:
Workday DataStax uses Workday for HR and Finance needs. Workday security documentation can be found on their security page.
Salesforce.com DataStax uses the Salesforce.com CRM system. Salesforce security documentation can be found on their security page and in this security whitepaper.
Pantheon DataStax uses Pantheon for web hosting. Pantheon security documentation can be found on their security page.
Stormpath DataStax uses Stormpath for website identity management. Stormpath security documentation can be found on their security page.

Engineering Systems

All systems in the datacenter operate behind a firewall. The firewall and switch firmware/operating systems are upgraded to the latest version every six (6) months to apply the latest security patches. Emergency upgrades are done in an event that a critical patch is released. HTTPS and SSH are the only protocols available to access the firewall. DataStax on-premises systems are accessible via an industry-recognized VPN client.
 
Service Security Information
Atlassian JIRA DataStax uses hosted Atlassian JIRA for tracking defects and enhancements. Atlassian security policies can be found here Atlassian Security and here Privacy Policy.
Zendesk DataStax uses Zendesk for tracking customer support tickets. Zendesk security documentation can be found on their security page and in this privacy statement.
Github DataStax uses Github for source code control. Github security documentation can be found on their security page.
Rightscale DataStax uses Rightscale for multi-cloud management. Rightscale security documentation can be found on their security page.
Rackspace DataStax uses Rackspace for server hosting. Rackspace security documentation can be found on their security page.
Amazon Web Services DataStax uses Amazon AWS for server hosting. AWS security documentation can be found on their security page.
Microsoft Azure DataStax uses Microsoft Azure for server hosting. AWS security documentation can be found on their security page.

System Security

DataStax enforces the rule of least privilege for IT systems. Access to designated systems is limited to those personnel for whom access is required based on job function. Data on DataStax customers is restricted to individuals who require system access to perform job functions. Access lists for key corporate systems are audited quarterly. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols (SFTP, SSH etc.) are used to transfer data from one system endpoint to another.

Laptop and Mobile Device Security

Employee computers are password protected and the default configuration for such devices causes the devices to be automatically locked after 10 minutes of inactivity. All employee computers are installed with anti-virus software. Employees are provided with a tool to backup/sync company data to either a physical local location or to cloud storage. Each employee receives a laptop computer with an assigned unique company asset tag for identification. DataStax employees are required to contact IT in an event of laptop theft or loss.

Employee Background Checks

DataStax conducts criminal background checks on all of its employees prior to commencement of employment.

Breach Notifications

DataStax will notify customers of any security breach which involved their data as soon as practicable, but no later than twenty-four hours after DataStax becomes aware of it. This applies to information stored in its own systems as well as the systems of its vendors.

Vulnerability Handling

Reporting a Vulnerability

An important strategy DataStax uses in building secure applications is to respond to vulnerability reports. If you are a DataStax customer, you can open a support ticket to report a vulnerability. If you are not a customer, you can send email to security@datastax.com.

DataStax Enterprise incorporates code from several Apache Software Foundation (ASF) projects, such as Apache Cassandra™, Apache Spark, and Apache Solr. Vulnerabilities affecting ASF software products should also be reported directly to the project. Details on reporting those vulnerabilities to the ASF can be found here.

DataStax follows a vulnerability handling process similar to that of the Apache Foundation.
  1. The reporter reports the vulnerability privately to DataStax.
  2. The appropriate project's security team works privately with the reporter to resolve the vulnerability.
  3. A new release or patch of the DataStax product that includes the fix is produced.
  4. The vulnerability is publicly announced and the patched software made available.

Security Notices

DataStax Enterprise Security

Summary

Security is a critical consideration of any enterprise software project. Because DataStax Enterprise is the data platform for cloud applications for some of the world's most visible and demanding software applications, we take security seriously and have implemented several formal programs to make security a priority. Security is a dynamic field; therefore DataStax regularly reviews and updates these programs based on changes in our products, industry standards, and emerging threats.

DataStax Software Development Security Program

The DataStax Software Development Security Program (DSDSP) integrates security into our engineering processes with the goal of making our products as secure as possible. It covers the design, development, and testing of DataStax Enterprise with a focus on reducing the likelihood that DataStax's products will serve as the entry point for an attack or intrusion.

Enabling Security Best Practices

This program is focused on giving DataStax Enterprise the features needed for developers to build secure applications that remain secure in operation. It covers everything from encryption of data at rest to helping developers prevent "CQL Injection" attacks.

Corporate Security

This program is focused on reducing the likelihood of data breaches for DataStax internal IT systems through physical or electronic means as well as the maintenance of our security policies.

Vulnerability Reporting

This program covers transparent vulnerability reporting and status for DataStax Enterprise.

Last Updated June 1, 2017

DataStax Software Development Security Program

The DataStax Software Development Security Program (DSDSP) is DataStax's methodology to build security into our products.

Developer Training

As part of our on-boarding process, all newly-hired software engineers are required to take online secure coding training from SAFECode.

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.


Modules taken (below) depend on the product area in which the developer works:

Secure Coding Standards

DataStax has a software development policy that requires code reviews on all code before it is checked into our code repository. This policy includes a review for security related issues.

Expert / External Review

DataStax has retained external security experts to code review our security features. Based on their analysis, we made improvements and added features such as support for off-server key storage. External validation is an ongoing process that we use to double check our own efforts.

Code Scanning and Vulnerability Monitoring

The DataStax Test Engineering team routinely scans our software with the SRC:CLR product to itemize the content of our software and match publicly known vulnerabilities to code. In addition to scanning our codebase, DataStax monitors the National Vulnerability Database and US-CERT activity. The results of code scans and NVD and US-CERT monitoring are fed back into the development team for review and, if applicable, patches are created. The Vulnerability Reporting tab contains a list of recently identified issues and their disposition.

Enabling Security Best Practices

DataStax Enterprise provides standard security and advanced features, which allow you to build security in your application stack. Relevant features include:
Internal Authentication
Easily create users with RDBMS style syntax.
External Authentication
Integrate DSE into your existing security infrastructure with its Kerberos, LDAP, and Active Directory support.
Permission Management
Use the familiar and easy GRANT/REVOKE paradigm to assign permissions to your database users and ensure no data can be improperly accessed.
Client-to-Node/Node-to-Node Encryption
Protect data as it’s sent from clients to a database cluster or when it’s transferred between nodes so that it cannot be intercepted and stolen.
Driver Features
DataStax provides functionality in its drivers, such as parameterized statements, to help you prevent attacks similar to SQL Injection attacks.
Transparent Data Encryption
Secure data at rest with complete application transparency using preferred encryption capabilities that prevent unauthorized data access.
Data Auditing
Track all user activity in a database cluster including login attempts so data breach attempts can be identified and stopped.
PCI and SOX Compliance Support
DSE Advanced Security delivers key features needed to support PCI and SOX compliance requirements.
Uniform Security Coverage
DSE Advanced Security extends to all nodes in a DSE cluster, including those used for running analytics, search, and in-memory computing workloads on Cassandra data.

Scope

DataStax Enterprise (DataStax Enterprise server, DataStax OpsCenter, DataStax DevCenter, DataStax Developer Studio, and the DataStax Drivers) is provided to customers as a software bundle to be self-deployed by customers on their choice of hardware or cloud platform. As such, DataStax and its employees do not have direct access to the data a customer has stored in DataStax Enterprise or to any production customer systems. In the course of offering support and services it may be necessary for DataStax employees to have limited access or visibility to customer production systems or technical log files. Access to this information is at the sole discretion and invitation of the customer.

Physical Security

DataStax maintains small engineering data centers co-located with developers for use in product development and testing. No customer data is stored in any system running in these datacenters. The datacenters are secured by a physical key, electronic access key or both. Electronic access is logged and monitored. A video camera records motion and access to the DataStax datacenter located at DataStax headquarters. An alarm system is installed at all on-premises datacenters and DataStax headquarters. DataStax headquarters is protected by a security station with security personnel at the front desk lobby. Key fob security badges are required for building access and elevator floor access during non-business hours at DataStax headquarters. Key fob security badges are surrendered and deactivated upon employee termination.

Information Systems

DataStax uses several cloud-based technology vendors to support company operations. These vendors have separate security policies that govern the protection of DataStax data in their possession. Relevant vendors and their security policies are listed below.
 
Service Security Information
Google DataStax uses Google Apps for Business for internal messaging and document handling. Google provides security and privacy for its services as outlined in their Security and Privacy documentation. In addition, DataStax implements Google services following best practices such as:
Workday DataStax uses Workday for HR and Finance needs. Workday security documentation can be found on their security page.
Salesforce.com DataStax uses the Salesforce.com CRM system. Salesforce security documentation can be found on their security page and in this security whitepaper.
Pantheon DataStax uses Pantheon for web hosting. Pantheon security documentation can be found on their security page.
Stormpath DataStax uses Stormpath for website identity management. Stormpath security documentation can be found on their security page.

Engineering Systems

All systems in the datacenter operate behind a firewall. The firewall and switch firmware/operating systems are upgraded to the latest version every six (6) months to apply the latest security patches. Emergency upgrades are done in an event that a critical patch is released. HTTPS and SSH are the only protocols available to access the firewall. DataStax on-premises systems are accessible via an industry-recognized VPN client.
 
Service Security Information
Atlassian JIRA DataStax uses hosted Atlassian JIRA for tracking defects and enhancements. Atlassian security policies can be found here Atlassian Security and here Privacy Policy.
Zendesk DataStax uses Zendesk for tracking customer support tickets. Zendesk security documentation can be found on their security page and in this privacy statement.
Github DataStax uses Github for source code control. Github security documentation can be found on their security page.
Rightscale DataStax uses Rightscale for multi-cloud management. Rightscale security documentation can be found on their security page.
Rackspace DataStax uses Rackspace for server hosting. Rackspace security documentation can be found on their security page.
Amazon Web Services DataStax uses Amazon AWS for server hosting. AWS security documentation can be found on their security page.
Microsoft Azure DataStax uses Microsoft Azure for server hosting. AWS security documentation can be found on their security page.

System Security

DataStax enforces the rule of least privilege for IT systems. Access to designated systems is limited to those personnel for whom access is required based on job function. Data on DataStax customers is restricted to individuals who require system access to perform job functions. Access lists for key corporate systems are audited quarterly. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols (SFTP, SSH etc.) are used to transfer data from one system endpoint to another.

Laptop and Mobile Device Security

Employee computers are password protected and the default configuration for such devices causes the devices to be automatically locked after 10 minutes of inactivity. All employee computers are installed with anti-virus software. Employees are provided with a tool to backup/sync company data to either a physical local location or to cloud storage. Each employee receives a laptop computer with an assigned unique company asset tag for identification. DataStax employees are required to contact IT in an event of laptop theft or loss.

Employee Background Checks

DataStax conducts criminal background checks on all of its employees prior to commencement of employment.

Breach Notifications

DataStax will notify customers of any security breach which involved their data as soon as practicable, but no later than twenty-four hours after DataStax becomes aware of it. This applies to information stored in its own systems as well as the systems of its vendors.

Vulnerability Handling

Reporting a Vulnerability

An important strategy DataStax uses in building secure applications is to respond to vulnerability reports. If you are a DataStax customer, you can open a support ticket to report a vulnerability. If you are not a customer, you can send email to security@datastax.com.

DataStax Enterprise incorporates code from several Apache Software Foundation (ASF) projects, such as Apache Cassandra™, Apache Spark, and Apache Solr. Vulnerabilities affecting ASF software products should also be reported directly to the project. Details on reporting those vulnerabilities to the ASF can be found here.

DataStax follows a vulnerability handling process similar to that of the Apache Foundation.
  1. The reporter reports the vulnerability privately to DataStax.
  2. The appropriate project's security team works privately with the reporter to resolve the vulnerability.
  3. A new release or patch of the DataStax product that includes the fix is produced.
  4. The vulnerability is publicly announced and the patched software made available.

Security Notices

SHARE THIS PAGE
Tel. +1 (408) 933-3120 sales@datastax.com Offices France GermanyJapan

DataStax Enterprise is powered by the best distribution of Apache Cassandra™.

© 2017 DataStax, All Rights Reserved. DataStax, Titan, and TitanDB are registered trademark of DataStax, Inc. and its subsidiaries in the United States and/or other countries.
Apache Cassandra, Apache, Tomcat, Lucene, Solr, Hadoop, Spark, TinkerPop, and Cassandra are trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.