ScyllaDB Documentation Logo Documentation
  • Server
    • ScyllaDB Open Source
    • ScyllaDB Enterprise
    • ScyllaDB Alternator
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
Download
Menu
Scylla Cloud ScyllaDB Cloud Security ScyllaDB Cloud Security Concepts

ScyllaDB Cloud Security Concepts¶

The following describes ScScyllaDBylla Cloud security mechanism at a high level.

ScyllaDB Cloud security is built on four principles:

  • Principle of Least Privilege

  • Isolation

  • Auditing

  • Encryption

The following section will describe how these principles are used across different aspects of ScyllaDB Cloud. Everything below refers to both BYOA and ScyllaDB Account, unless explicitly stated otherwise.

Terms¶

  • Control Plane: ScyllaDB Cloud Backend, a collection of services and servers that manage ScyllaDB Cloud users, ScyllaDB Cloud application (site), manage and monitor all the ScyllaDB Database Clusters.

  • ScyllaDB Cluster: ScyllaDB Enterprise Servers, running in either ScyllaDB Account or, in case of BYOA, in the Customer Account.

Topology¶

Each ScyllaDB Cluster is running on a dedicated, isolated environment, including:

  • Dedicate VPC

  • Dedicated VMs for ScyllaDB Database

  • Dedicated VMs for ScyllaDB Monitoring and ScyllaDB Manager servers

The diagrams below describe the topology of a managed ScyllaDB cloud cluster, in ScyllaDB Account or Customer Account (BYOA)

ScyllaDB Cloud Digram - ScyllaDB Account

ScyllaDB Cloud on AWS Architecture - ScyllaDB Account¶

ScyllaDB Cloud Digram - BYOA

ScyllaDB Cloud on AWS Architecture - BYOA¶

Isolation invariants¶

  • There is no access from one cluster to another

  • Customer data is limited to the ScyllaDB Cluster. The Control Plane does not store, query, or access the Customer Data.

  • The Control Plane access to ScyllaDB Clusters is limited to:

    • Monitoring information (metrics)

    • Operations, like add node, upgrade etc

  • Each cluster manage its own S3 backup bucket per DC (region)

Principle of Least Privilege invariants¶

  • All access points between elements are closed by default. Relevant connections and API are explicitly enabled.

  • ScyllaDB Database users can only access their ScyllaDB database over CQL or REST API (Alternator).

  • Users can not login to ScyllaDB nodes, Monitoring, or Manager servers; enforced using IP/port whitelist.

  • ScyllaDB Monitoring can only access ScyllaDB database servers monitoring and log collection APIs; enforce using IP/port whitelist.

  • ScyllaDB Manager can only access ScyllaDB database servers Manager Agent API; enforced using IP/port whitelist.

  • Access backup, stored on S3 (AWS) and Cloud Storage (GCP), is limited to the ScyllaDB cluster instances.

Access Control¶

ScyllaDB Cloud team access to the system is:

  • Limited to a minimal subset of ScyllaDB Support engineered

  • Only does via tools / scripts

  • Audited

The above is valid to both ScyllaDB Clusters and Control Plan. In particular, direct access to the Database servers is done as a last resort.

Encryption¶

Encryption at transit¶

The following channels are encrypted:

  • ScyllaDB Node to Node in the same region - using on AWS VPC Encryption in transit or GCP VPC Encryption in transit

  • ScyllaDB Node to Node between regions - All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. All traffic between AZs is encrypted.

  • ScyllaDB Client to Node - inside AWS, encrypted by default by AWS (see above). ScyllaDB-managed Encryption at transit is optional.

Encryption at rest on AWS¶

ScyllaDB Cluster uses NVMe to store information. The data on NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are managed by EC2 and generated using the hardware module and are unique to each NVMe instance storage device.

Encryption at rest on GCP¶

ScyllaDB Cluster uses SSD to store information. Compute Engine automatically encrypts your data when it is written to local SSD storage space

PREVIOUS
ScyllaDB Cloud Compliance
NEXT
Serverless Databases on ScyllaDB Cloud
  • New to ScyllaDB? Start here!
  • Quick Start Guide to ScyllaDB Cloud
  • About ScyllaDB Cloud as a Service
    • Benefits
    • Backups
    • Best Practices
    • Managing ScyllaDB Versions
    • Support, Alerts, and SLA Commitments
    • Costs
  • Deployment
    • Cloud Providers
    • Deploy ScyllaDB Cloud to Your Own AWS Account
    • AWS Virtual Private Network (VPC) Peering Setup Guide
    • GCP Virtual Private Network (VPC) Peering Setup Guide
    • Run Managed ScyllaDB Cloud Clusters on AWS Outposts
  • Managing Clusters
    • Maintenence Windows
    • Scaling a Cluster
    • Deleting a Cluster
  • Using ScyllaDB
    • Apache Cassandra Query Language (CQL)
    • ScyllaDB Drivers
    • Tracing
    • Role Based Access Control (RBAC)
    • ScyllaDB Integrations
  • Monitoring
    • Extracting Cluster Metrics
  • Security
    • ScyllaDB Cloud Security Best Practices
    • ScyllaDB Cloud Compliance
    • ScyllaDB Cloud Security Concepts
  • Serverless
  • Free Trial
  • Tutorials
  • API Documentation
    • Get Started with the ScyllaDB Cloud API
    • API Reference (BETA)
  • Getting Help
    • ScyllaDB Cloud FAQ
  • Create an issue

On this page

  • ScyllaDB Cloud Security Concepts
    • Terms
    • Topology
    • Isolation invariants
    • Principle of Least Privilege invariants
    • Access Control
    • Encryption
      • Encryption at transit
      • Encryption at rest on AWS
      • Encryption at rest on GCP
Logo
Docs Contact Us About Us
Mail List Icon Slack Icon Forum Icon
© 2023, ScyllaDB. All rights reserved.
Last updated on 02 Feb 2023.
Powered by Sphinx 4.3.2 & ScyllaDB Theme 1.3.4