Scylla Documentation Logo Documentation
  • Server
    • Scylla Open Source
    • Scylla Enterprise
    • Scylla Alternator
  • Cloud
    • Scylla Cloud
    • Scylla Cloud Docs
  • Tools
    • Scylla Manager
    • Scylla Monitoring Stack
    • Scylla Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
Download
Menu
Scylla Cloud Scylla Cloud Security Scylla Cloud Security Concepts

Scylla Cloud Security Concepts¶

The following describes Scylla Cloud security mechanism at a high level.

Scylla Cloud security is built on four principles:

  • Principle of Least Privilege

  • Isolation

  • Auditing

  • Encryption

The following section will describe how these principles are used across different aspects of Scylla Cloud. Everything below refers to both BYOA and Scylla Account, unless explicitly stated otherwise.

Terms¶

  • Control Plane: Scylla Cloud Backend, a collection of services and servers that manage Scylla Cloud users, Scylla Cloud application (site), manage and monitor all the Scylla Database Clusters.

  • Scylla Cluster: Scylla Enterprise Servers, running in either Scylla Account or, in case of BYOA, in the Customer Account.

Topology¶

Each Scylla Cluster is running on a dedicated, isolated environment, including:

  • Dedicate VPC

  • Dedicated VMs for Scylla Database

  • Dedicated VMs for Scylla Monitoring and Scylla Manager servers

The diagrams below describe the topology of a managed Scylla cloud cluster, in Scylla Account or Customer Account (BYOA)

Scylla Cloud Digram - Scylla Account

Scylla Cloud on AWS Architecture - Scylla Account¶

Scylla Cloud Digram - BYOA

Scylla Cloud on AWS Architecture - BYOA¶

Isolation invariants¶

  • There is no access from one cluster to another

  • Customer data is limited to the Scylla Cluster. The Control Plane does not store, query, or access the Customer Data.

  • The Control Plane access to Scylla Clusters is limited to:

    • Monitoring information (metrics)

    • Operations, like add node, upgrade etc

  • Each cluster manage its own S3 backup bucket per DC (region)

Principle of Least Privilege invariants¶

  • All access points between elements are closed by default. Relevant connections and API are explicitly enabled.

  • Scylla Database users can only access their Scylla DB over CQL or REST API (Alternator)

  • Users can not login to Scylla nodes, Monitoring, or Manager servers; enforced using IP/port whitelist.

  • Scylla Monitoring can only access Scylla DB servers monitoring and log collection APIs; enforce using IP/port whitelist.

  • Scylla Manager can only access Scylla DB servers Manager Agent API; enforced using IP/port whitelist.

  • Access backup, stored on S3 (AWS) and Cloud Storage (GCP), is limited to the Scylla cluster instances```

Access Control¶

Scylla Cloud team access to the system is:

  • Limited to a minimal subset of Scylla Support engineered

  • Only does via tools / scripts

  • Audited

The above is valid to both Scylla DB Clusters and Control Plan. In particular, direct access to the Database servers is done as a last resort.

Encryption¶

Encryption at transit¶

The following channels are encrypted:

  • Scylla Node to Node in the same region - using on AWS VPC Encryption in transit or GCP VPC Encryption in transit

  • Scylla Node to Node between regions - All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. All traffic between AZs is encrypted.

  • Scylla Client to Node - inside AWS, encrypted by default by AWS (see above). Scylla-managed Encryption at transit is optional.

Encryption at rest on AWS¶

Scylla Cluster uses NVMe to store information. The data on NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are managed by EC2 and generated using the hardware module and are unique to each NVMe instance storage device.

Encryption at rest on GCP¶

Scylla Cluster uses SSD to store information. Compute Engine automatically encrypts your data when it is written to local SSD storage space

PREVIOUS
Scylla Cloud Compliance
NEXT
Scylla Cloud Evaluation
  • About Scylla Cloud
  • Getting Started
    • Get Started with Scylla Cloud on AWS
      • Quick Start Guide to ScyllaDB Cloud on AWS
      • Deploy Scylla Cloud with Bring Your Own Account
      • Extract Cluster Metrics in Prometheus Format
      • Virtual Private Network (VPC) Peering Setup Guide
      • Run Managed Scylla Cloud Clusters on AWS Outposts
    • Get Started with Scylla Cloud on GCP
      • Quick Start Guide to ScyllaDB Cloud on GCP
      • VCP Peering Setup Guide
      • Extract Cluster Metrics in Prometheus format
    • ScyllaDB Cloud Best Practices
    • ScyllaDB Cloud Deployment Alternatives
    • ScyllaDB Cloud Sizing and Autoscale
    • Scylla Cloud Backups
    • Managing ScyllaDB Versions
    • Support, Alerts, and SLA Commitments
    • Costs
  • Using ScyllaDB
    • Apache Cassandra Query Language (CQL)
    • Scylla Drivers
    • Tracing
    • Role Based Access Control (RBAC)
    • Scylla Integrations
  • Scylla Cloud Security
    • Scylla Cloud Security Best Practice
    • Scylla Cloud Compliance
    • Scylla Cloud Security Concepts
  • Scylla Cloud Evaluation
  • Tutorials
  • Getting Help
    • ScyllaDB Cloud FAQ
  • Create an issue
  • Edit this page

On this page

  • Scylla Cloud Security Concepts
    • Terms
    • Topology
    • Isolation invariants
    • Principle of Least Privilege invariants
    • Access Control
    • Encryption
      • Encryption at transit
      • Encryption at rest on AWS
      • Encryption at rest on GCP
Logo
Docs Contact Us About Us
Mail List Icon Slack Icon
© 2022, ScyllaDB. All rights reserved.
Last updated on 13 May 2022.
Powered by Sphinx 4.3.2 & ScyllaDB Theme 1.2.1