Google Git
Sign in
apache / cassandra-website / refs/heads/asf-staging / . / content / _ / blog / Tightening-Security-for-Apache-Cassandra-Part-1.html
blob: f43749d0fd4ce63c82b29c3d8629d9ccaa1219fb [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>Apache Cassandra | Apache Cassandra Documentation</title>
<link rel="stylesheet" href="../../assets/css/site.css">
<meta name="description" content="The Apache Cassandra Community">
<link rel="schema.dcterms" href="https://purl.org/dc/terms/">
<meta name="dcterms.subject" content="_">
<meta name="dcterms.identifier" content="master">
<meta name="generator" content="Antora 2.3.4">
<link rel="icon" href="../../assets/img/favicon.ico" type="image/x-icon">
<script>
const script = document.createElement("script");
const domain = window.location.hostname;
script.type = "text/javascript";
script.src = "https://plausible.cassandra.apache.org/js/plausible.js";
script.setAttribute("data-domain",domain);
script.setAttribute("defer",'true');
script.setAttribute("async",'true');
document.getElementsByTagName("head")[0].appendChild(script);
</script> </head>
<body class="single-post">
<div class="container mx-auto relative">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<meta property="og:type" content="website" />
<meta property="og:description" content="" />
<meta property="og:url" content="/" />
<meta property="og:site_name" content="Apache Cassandra" />
<header id="top-nav">
<div class="inner relative">
<div class="header-social-icons text-right">
<a href="https://twitter.com/cassandra?lang=en" target="_blank" styles="margin-left: 20px;"><img src="../../assets/img/twitter-icon-circle-white.svg" alt="twitter icon" width="24"></a>
<a href="https://www.linkedin.com/company/apache-cassandra/" target="_blank" styles="margin-left: 20px;"><img src="../../assets/img/LI-In-Bug.png" alt="linked-in icon" width="24"></a>
<a href="https://www.youtube.com/c/PlanetCassandra" target="_blank" styles="margin-left: 20px;"><img src="../../assets/img/youtube-icon.png" alt="youtube icon" width="24"></a>
</div>
<div class="cf">
<div class="logo left"><a href="/"><img src="../../assets/img/logo-white-r.png" alt="cassandra logo"></a></div>
<div class="mobile-nav-icon right">
<img class="toggle-icon" src="../../assets/img/hamburger-nav.svg">
</div>
<ul class="main-nav nav-links right flex flex-vert-center flex-space-between">
<li>
<a class="nav-link hide-mobile">Get Started</a>
<ul class="sub-menu bg-white">
<li class="pa-micro">
<a href="/_/cassandra-basics.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-basics.png" alt="cassandra basics icon">
</div>
<div class="sub-nav-text teal py-small">
Cassandra Basics
</div>
</a>
</li>
<li class="pa-micro">
<a href="/_/quickstart.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-rocket.png" alt="cassandra basics icon">
</div>
<div class="sub-nav-text teal py-small">
Quickstart
</div>
</a>
</li>
<li class="pa-micro">
<a href="/_/ecosystem.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-ecosystem.png" alt="cassandra basics icon">
</div>
<div class="sub-nav-text teal py-small">
Ecosystem
</div>
</a>
</li>
</ul>
</li>
<li><a class="nav-link" href="/doc/latest/">Documentation</a></li>
<li>
<a class="nav-link" href="/_/community.html">Community</a>
<ul class="sub-menu bg-white">
<li class="pa-micro">
<a href="/_/community.html#code-of-conduct">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-welcome.png" alt="welcome icon">
</div>
<div class="sub-nav-text teal py-small">
Welcome
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/community.html#discussions">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-discussions.png" alt="discussions icon">
</div>
<div class="sub-nav-text teal py-small">
Discussions
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/community.html#project-governance">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-governance.png" alt="Governance icon">
</div>
<div class="sub-nav-text teal py-small">
Governance
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/community.html#how-to-contribute">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-contribute.png" alt="Contribute icon">
</div>
<div class="sub-nav-text teal py-small">
Contribute
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/community.html#meet-the-community">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-community.png" alt="Meet the Community icon">
</div>
<div class="sub-nav-text teal py-small">
Meet the Community
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/cassandra-catalyst-program.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-catalyst.png" alt="Catalyst icon">
</div>
<div class="sub-nav-text teal py-small">
Catalyst Program
</div>
</a>
</li>
<li class="pa-micro hide-mobile">
<a href="/_/events.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-events.png" alt="Events icon">
</div>
<div class="sub-nav-text teal py-small">
Events
</div>
</a>
</li>
</ul>
</li>
<li>
<a class="nav-link hide-mobile">Learn</a>
<ul class="sub-menu bg-white">
<li class="pa-micro">
<a href="/_/Apache-Cassandra-5.0-Moving-Toward-an-AI-Driven-Future.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-basics.png" alt="Basics icon">
</div>
<div class="sub-nav-text teal py-small">
Cassandra 5.0
</div>
</a>
</li>
<li class="pa-micro">
<a href="/_/case-studies.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-case-study.png" alt="Case Studies icon">
</div>
<div class="sub-nav-text teal py-small">
Case Studies
</div>
</a>
</li>
<li class="pa-micro">
<a href="/_/resources.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-resources.png" alt="Resources icon">
</div>
<div class="sub-nav-text teal py-small">
Resources
</div>
</a>
</li>
<li class="pa-micro">
<a href="/_/blog.html">
<div class="sub-nav-icon">
<img src="../../assets/img/sub-menu-blog.png" alt="Blog icon">
</div>
<div class="sub-nav-text teal py-small">
Blog
</div>
</a>
</li>
</ul>
</li>
<li><a class="nav-link btn btn--filled" href="/_/download.html">Download Now</a></li>
</ul>
</div>
</div>
</header>
<div class="hero hero--home grad">
<div class="eye"></div>
<div id="home-content" class="text-center flex flex-center flex-column relative z2 ma-xlarge">
<h1>Tightening Security for Apache Cassandra: Part 1</h1>
<h3>January, 31 2022 | Maulin Vasavada</h3>
</div>
</div>
<div id="blog-post" class="flex-center py-large arrow">
<div class="blog-breadcrumb mb-medium">
<div class="inner inner--narrow">
<a href="/_/blog.html">« Back to the Apache Cassandra Blog</a>
</div>
</div>
<div class="post-content">
<div class="inner inner--narrow">
<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="../_images/blog/tighten-security-p1-unsplash.jpg" alt="secure lock and chain across a door">
</div>
</div>
<div class="paragraph">
<p>Image credit: <a href="https://unsplash.com/@thommilkovic" target="_blank" rel="noopener">Thom Milkovic on Unsplash</a></p>
</div>
<div class="paragraph">
<p>This series will show you how Apache Cassandra 4.0+ enables users to customize SSL/TLS configuration flexibly and enhance the database’s security posture. First, we will start with some context before diving into the technical details.</p>
</div>
<div class="paragraph">
<p>According to eMarketer’s <a href="https://www.emarketer.com/content/us-ecommerce-forecast-2021" target="_blank" rel="noopener">forecast in 2021</a>: “US e-commerce sales are projected to continue to grow by double digits, up 17.9% in 2021 to $933.30 billion. E-commerce penetration will continue to increase, more than doubling from 2019 to 23.6% in 2025.” While eMarketer’s data is only for the US, the global trend is seeing a similar upward swing. With this growth in buying online, there is an increased focus on security and how to protect customers’ data and secure communication between computers, especially with databases such as Apache Cassandra that store customer and transaction data.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../_images/blog/emarketer-chart.png" alt="eMarketer chart">
</div>
</div>
<div id="img-ecommerce" class="paragraph">
<p>The growth in ecommerce also demands software that&#8217;s both secure and scalable.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="adoption-of-apache-cassandra-securing-data"><a class="anchor" href="#adoption-of-apache-cassandra-securing-data"></a>Adoption of Apache Cassandra &amp; Securing Data</h3>
<div class="paragraph">
<p>Apache Cassandra is the open source NoSQL database for mission-critical data. Its adoption grows day-by-day in the industry, and it’s used by all sizes of organizations serving varied technical and business domains, such as IT Financial Services, Healthcare, Retail, Government, and Education, to name a few. You can find some <a href="Apache-Cassandra-Usage-Report-2020.html" class="page">interesting statistics</a> from the 2020 survey about Apache Cassandra’s usage in the industry.</p>
</div>
<div class="paragraph">
<p>As the web traffic grows for business-to-consumer interactions, service providers need to ensure customer data is securely protected and the backing software can scale to handle growing demand without outages. Service providers use various technologies to support their business functions such as Online Transaction Processing (OLTP), serving internal analytical needs for customer insights, running risk and fraud detection systems, etc. As traffic grows, each sub-system and technology will need to scale with traffic while satisfying security requirements.</p>
</div>
<div class="paragraph">
<p>Primarily there are two avenues to consider for securing data: data in transit and data at rest.</p>
</div>
<div class="paragraph">
<p>Data in transit refers to the data traveling between computers over the network (sometimes referred as ‘over-the-wire’). For example, a customer’s credit card details travel to the service provider for payment processing, and, of course, customers expect that to be done securely.</p>
</div>
<div class="paragraph">
<p>Data at rest refers to the data digitally stored for durability. Like data in transit, data at rest needs to be secured with appropriate access control mechanisms and data encryption.</p>
</div>
<div class="paragraph">
<p>In this series, we’re focused on securing data in transit. We will cover the security aspects in more detail in Part 2, but first, a few basics of security followed by how Apache Cassandra enables operators with configurable options for securing data in transit, meaning between client nodes and Cassandra server nodes and from server to server.</p>
</div>
</div>
<div class="sect2">
<h3 id="using-tls-to-secure-data-in-transit"><a class="anchor" href="#using-tls-to-secure-data-in-transit"></a>Using TLS to secure data-in-transit</h3>
<div class="paragraph">
<p>TLS (Transport Layer Security) is an industry-standard cryptographic protocol to secure data over the wire between two computers. Typically, this is between a web server and a browser. It is a successor of SSL (Secure Socket Layer) protocol and many times you would notice SSL and TLS are used interchangeably by technologists for higher-level discussions. Here are some good <a href="https://www.internetsociety.org/deploy360/tls/basics/" target="_blank" rel="noopener">guides</a> for learning about TLS basics and understanding the <a href="https://www.ssl.com/article/ssl-tls-handshake-overview/" target="_blank" rel="noopener">TLS Handshake</a> between client and server.</p>
</div>
<div class="paragraph">
<p>TLS requires the server to have an asymmetric key pair <a href="https://protonmail.com/blog/tls-ssl-certificate/#What-is-a-TLS-certificate" target="_blank" rel="noopener">digital certificate</a>. This enables the client to trust the server is what it claims to be, but the server will trust any client. In order to limit which clients the server trusts, you must provide the server with a similar certificate for each allowed client so the server can <a href="https://aboutssl.org/ssl-tls-client-authentication-how-does-it-works/" target="_blank" rel="noopener">authenticate a client</a>. This is also known as Client-TLS Auth, Two-way-SSL, Mutual-TLS, or mTLS (most commonly used) for short.</p>
</div>
<div class="paragraph">
<p>Apart from some <a href="https://www.internetsociety.org/deploy360/tls/basics/" target="_blank" rel="noopener">higher level challenges</a> with TLS, there are also operational challenges you will need to consider, which we will cover in Part 2. Next time, we will look at storing your private key and password, credential rotations, operations at scale, and how to configure TLS/mTLS on the server-side.</p>
</div>
</div>
<div class="sect2">
<h3 id="want-to-learn-more-about-apache-cassandras-security-features"><a class="anchor" href="#want-to-learn-more-about-apache-cassandras-security-features"></a>Want to learn more about Apache Cassandra’s security features?</h3>
<div class="paragraph">
<p>Head to our <a href="/doc/trunk/cassandra/operating/security.html">Security documentation</a> section for more details.</p>
</div>
</div>
</div>
</div>
</div>
<footer class="grad grad--two flex-center pb-xlarge">
<div class="inner text-center z2 relative">
<h2 class="white py-small">Get started with Cassandra, fast.</h2>
<a id="footer-cta" href="/_/quickstart.html" class="btn btn--filled ma-medium">Quickstart Guide</a>
</div>
<div class="inner flex flex-distribute-items mt-xlarge z2 relative">
<div class="col-2">
<div id="footer-logo" class="logo logo--footer mb-medium"><img src="../../assets/img/logo-white-r.png" alt="Cassandra Logo"></div>
<p>Apache Cassandra<img src="../../assets/img/registered.svg" alt="®" style="width:18px;"> powers mission-critical deployments with improved performance and unparalleled levels of scale in the cloud.</p>
<div class="footer-social-icons">
<a href="https://twitter.com/cassandra?lang=en" target="_blank"><img src="../../assets/img/twitter-icon-circle-white.svg" alt="twitter icon" width="24"></a>
<a href="https://www.linkedin.com/company/apache-cassandra/" target="_blank"><img src="../../assets/img/LI-In-Bug.png" alt="linked-in icon" width="24"></a>
<a href="https://www.youtube.com/c/PlanetCassandra" target="_blank"><img src="../../assets/img/youtube-icon.png" alt="youtube icon" width="24"></a>
</div>
</div>
<div class="col-2 flex flex-center">
<ul class="columns-2">
<li class="mb-small"><a href="/">Home</a></li>
<li class="mb-small"><a href="/_/cassandra-basics.html">Cassandra Basics</a></li>
<li class="mb-small"><a href="/_/quickstart.html">Quickstart</a></li>
<li class="mb-small"><a href="/_/ecosystem.html">Ecosystem</a></li>
<li class="mb-small"><a href="/doc/latest/">Documentation</a></li>
<li class="mb-small"><a href="/_/community.html">Community</a></li>
<li class="mb-small"><a href="/_/case-studies.html">Case Studies</a></li>
<li class="mb-small"><a href="/_/resources.html">Resources</a></li>
<li class="mb-small"><a href="/_/blog.html">Blog</a></li>
</ul>
</div>
</div>
</footer>
<div class="lower-footer bg-white pa-medium">
<div class="flex flex-row flex-vert-center">
<div class="pr-medium"><img src="../../assets/img//feather-small.png" alt="ASF" width="20"></div>
<div class="pr-medium"><a href="http://www.apache.org/" target="_blank">Foundation</a></div>
<div class="pr-medium"><a href="https://www.apache.org/events/current-event.html" target="_blank">Events</a></div>
<div class="pr-medium"><a href="https://www.apache.org/licenses/" target="_blank">License</a></div>
<div class="pr-medium"><a href="https://www.apache.org/foundation/thanks" target="_blank">Thanks</a></div>
<div class="pr-medium"><a href="https://www.apache.org/security" target="_blank">Security</a></div>
<div class="pr-medium"><a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank">Privacy</a></div>
<div class="pr-medium"><a href="https://www.apache.org/foundation/sponsorship" target="_blank">Sponsorship</a></div>
</div>
<p class="my-medium">© 2009-<script>document.write(new Date().getFullYear())</script> <a href="https://apache.org" target="_blank">The Apache Software Foundation</a> under the terms of the Apache License 2.0. Apache, the Apache feather logo, Apache Cassandra, Cassandra, and the Cassandra logo, are either registered trademarks or trademarks of The Apache Software Foundation.</p>
</div>
<div id="fade" class="hidden"></div>
<div id="modal" class="hidden">
<div id="close-modal" class="cursor-pointer"><svg viewBox="0 0 24 24" width="24" height="24" stroke="currentColor" stroke-width="2" fill="none" stroke-linecap="round" stroke-linejoin="round" class="css-i6dzq1"><line x1="18" y1="6" x2="6" y2="18"></line><line x1="6" y1="6" x2="18" y2="18"></line></svg></div>
<div id="mod-content" class="vid-mod-content resp-container"></div>
</div>
<script>
jQuery(function(){
var windowW = $(window).width();
$(document)
.on('click','.mobile-nav-icon',function(){
$('.main-nav').fadeIn();
})
.on('click','.main-nav',function(){
if(windowW <= 1000){
$(this).fadeOut();
}
})
.on('click','#version-toggle',function(){
$(this).toggleClass('active');
$(this).next().fadeToggle();
})
.on('click','#mobile-docs-nav-burger', function(){
$(this).toggleClass('active');
$('.docs-nav').toggleClass('active');
});
var url = window.location.pathname;
var isQuickstart = url.includes('quickstart.html');
if(isQuickstart){
var footerCTA = document.getElementById('footer-cta');
footerCTA.innerHTML = 'Get latest updates';
footerCTA.setAttribute('href', '/_/blog.html');
}
});
</script>
</div>
</body>
<script>
jQuery(function(){
});
</script>
</html>