|
|
@@ -0,0 +1,63 @@
|
|
|
+[role="xpack"]
|
|
|
+[[elasticsearch-security]]
|
|
|
+== Security overview
|
|
|
+++++
|
|
|
+<titleabbrev>Overview</titleabbrev>
|
|
|
+++++
|
|
|
+
|
|
|
+Security protects {es} clusters by:
|
|
|
+
|
|
|
+* <<preventing-unauthorized-access, Preventing unauthorized access>>
|
|
|
+ with password protection, role-based access control, and IP filtering.
|
|
|
+* <<preserving-data-integrity, Preserving the integrity of your data>>
|
|
|
+ with SSL/TLS encryption.
|
|
|
+* <<maintaining-audit-trail, Maintaining an audit trail>>
|
|
|
+ so you know who's doing what to your cluster and the data it stores.
|
|
|
+
|
|
|
+[float]
|
|
|
+[[preventing-unauthorized-access]]
|
|
|
+=== Preventing unauthorized access
|
|
|
+
|
|
|
+To prevent unauthorized access to your {es} cluster, you must have a
|
|
|
+way to _authenticate_ users. This simply means that you need a way to validate
|
|
|
+that a user is who they claim to be. For example, you have to make sure only
|
|
|
+the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The
|
|
|
+{es-security-features} provide a standalone authentication mechanism that enables
|
|
|
+you to quickly password-protect your cluster. If you're already using LDAP,
|
|
|
+Active Directory, or PKI to manage users in your organization, the
|
|
|
+{security-features} are able to integrate with those systems to perform user
|
|
|
+authentication.
|
|
|
+
|
|
|
+In many cases, simply authenticating users isn't enough. You also need a way to
|
|
|
+control what data users have access to and what tasks they can perform. The
|
|
|
+{es-security-features} enable you to _authorize_ users by assigning access
|
|
|
+_privileges_ to _roles_ and assigning those roles to users. For example, this
|
|
|
+role-based access control mechanism (a.k.a RBAC) enables you to specify that the
|
|
|
+user `kandorra` can only perform read operations on the `events` index and can't
|
|
|
+do anything at all with other indices.
|
|
|
+
|
|
|
+The {security-features} also support IP-based authorization.
|
|
|
+You can whitelist and blacklist specific IP addresses or subnets to control
|
|
|
+network-level access to a server.
|
|
|
+
|
|
|
+[float]
|
|
|
+[[preserving-data-integrity]]
|
|
|
+=== Preserving data integrity
|
|
|
+
|
|
|
+A critical part of security is keeping confidential data confidential.
|
|
|
+{es} has built-in protections against accidental data loss and
|
|
|
+corruption. However, there's nothing to stop deliberate tampering or data
|
|
|
+interception. The {stack-security-features} preserve the integrity of your
|
|
|
+data by encrypting communications to and from nodes. For even
|
|
|
+greater protection, you can increase the <<ciphers,encryption strength>>.
|
|
|
+
|
|
|
+[float]
|
|
|
+[[maintaining-audit-trail]]
|
|
|
+=== Maintaining an audit trail
|
|
|
+
|
|
|
+Keeping a system secure takes vigilance. By using {stack-security-features} to
|
|
|
+maintain an audit trail, you can easily see who is accessing your cluster and
|
|
|
+what they're doing. By analyzing access patterns and failed attempts to access
|
|
|
+your cluster, you can gain insights into attempted attacks and data breaches.
|
|
|
+Keeping an auditable log of the activity in your cluster can also help diagnose
|
|
|
+operational issues.
|
Lisa Cawley