This section explains the general concepts of data security (such as, Access Management, Auditing, and Data Encryption) along with the other measures taken for Exasol deployment on public clouds and ExaCloud.
The section covers the security concepts Access Management, Auditing, and Data Encryption.
Access to the database first requires the users be authenticated. Exasol provides the following authentication methods:
- Authenticate by Password: Database users can be authenticated using passwords. You can create a database user authenticated by a password. The database checks the user's password at the time of login. For more information, see CREATE USER.
- LDAP/AD: When using LDAP method, the database checks the user name and password against a LDAP server which is configured in EXAoperation. For more information on how to configure authentication by LDAP, see Add, Edit, and Delete Users.
- Kerberos/SSO: Exasol supports single-sign functionality using Kerberos. By supporting Kerberos based single sign-on (in JDBC and ODBC), users can authenticate to Exasol using their Kerberos credentials. This allows for a seamless user experience. For more information on Kerberos, see Kerberos Single Sign-On.
Exasol provides you with the following options for access management:
- Database Level: Exasol provides system privileges and object level privileges. You can use the privileges to define the access to the database and its objects. For more information about system and object privileges, see Privileges.
- Row/ Column Level: You can use this feature to protect table rows based on ownership (tenant protection) or user roles. For more information, see row-level-security on GitHub.
- Cluster Level: Exasol separates the classical DBA role (SYS user who has all rights within a database instance) from the role of a cluster administrator that manages a cluster using EXAoperation. For such operational tasks, you can create and manage users from EXAoperation. For more information, see Access Management.
Exasol allows you to have auditing for sessions and SQL command execution. The auditing doesn't require any transaction log or any database schema modification. Therefore, it doesn't have any performance impact on the system. Exasol's auditing captures the following:
- All sessions with information such as driver, client, host, and operating system user.
- All executed SQL statements with information such as CPU, network, and hard disk read/write.
To know more about auditing, see Auditing.
Exasol uses different data encryption algorithms to secure the data when it transferred through the network or when it is stored on a disk.
- Data in-motion: The encryption when data is transferred through a network. Exasol uses ChaCha20 encryption for JDBC, ODBC, ADO.NET, and CLI. For WebSockets, Exasol uses TLS v 1.2 encryption. You can also refuse a connection from a client via a driver if the connection is not securely established. This is possible if you configure parameter -forceProtocolEncryption=1 while creating a database. To know about how to upload a TLS certificate, see Upload TLS Certificate.
- Data at-rest: The encryption when data is stored on a disk. Exasol usage AES-256 (LUKS also known as cryptsetup) for OS and storage disk encryption. If a license server is encrypted, it needs a LUKS passphrase to be accessible after each boot. For a data node, the passphrase is stored in EXAoperation and the data node is automatically unlocked during the boot. For permanently deleting data from a disk, Linux tool shred is used (7 iterations and final zero overwrite to hide shredding).
Security in ExaCloud
ExaCloud is a database-as-a-service provided by Exasol with hosting provider in German data centers. For details about the infrastructure certificates of the hosting partner, see IT Certificates | Noris Network.
Data encryption, security measures, and secure access via Site-to-Site VPN for ExaCloud are discussed with the customer and then implemented according to the requirement.
Security in Public Clouds
Exasol provides enterprise-level security in the public clouds such as AWS, Azure, and GCP:
- Exasol is always deployed in a customer's cloud account, therefore, the customer always has full control over its data.
- Exasol can be deployed using existing VPCs and subnets (and their respective counterparts in Azure/GCP) to cater to the customer security requirements or with new networking components.
- Security Groups (and their respective counterparts in Azure/GCP) only require minimum modification for ports. They can further be restricted to be only accessible from the customer's company network.
- Encryption in-motion and at-rest are also enforced in all public clouds for data protection.
- Support for Identity and Access Management (IAM)/ Azure Active Directory/ Google Cloud Identity and Access Management (IAM) is available to specify who has access to the resources.
- You can configure if resources should be accessible through public IPs or not.
- Exasol's marketplace offerings always contain the latest security updates for CentOS and its kernel.