Join us at Scylla Summit 2022 on Feb 9-10 Register for Free
Learn More
Menu

Scylla Cloud Security Concepts

The following describes Scylla Cloud security mechanism at a high level.

Scylla Cloud security is built on four principles:

  • Principle of Least Privilege

  • Isolation

  • Auditing

  • Encryption

The following section will describe how these principles are used across different aspects of Scylla Cloud. Everything below refers to both BYOA and Scylla Account, unless explicitly stated otherwise.

Terms

  • Control Plane: Scylla Cloud Backend, a collection of services and servers that manage Scylla Cloud users, Scylla Cloud application (site), manage and monitor all the Scylla Database Clusters.

  • Scylla Cluster: Scylla Enterprise Servers, running in either Scylla Account or, in case of BYOA, in the Customer Account.

Topology

Each Scylla Cluster is running on a dedicated, isolated environment, including:

  • Dedicate VPC

  • Dedicated VMs for Scylla Database

  • Dedicated VMs for Scylla Monitoring and Scylla Manager servers

The diagrams below describe the topology of a managed Scylla cloud cluster, in Scylla Account or Customer Account (BYOA)

Scylla Cloud Digram - Scylla Account

Scylla Cloud on AWS Architecture - Scylla Account

Scylla Cloud Digram - BYOA

Scylla Cloud on AWS Architecture - BYOA

Isolation invariants

  • There is no access from one cluster to another

  • Customer data is limited to the Scylla Cluster. The Control Plane does not store, query, or access the Customer Data.

  • The Control Plane access to Scylla Clusters is limited to:

    • Monitoring information (metrics)

    • Operations, like add node, upgrade etc

  • Each cluster manage its own S3 backup bucket per DC (region)

Principle of Least Privilege invariants

  • All access points between elements are closed by default. Relevant connections and API are explicitly enabled.

  • Scylla Database users can only access their Scylla DB over CQL or REST API (Alternator)

  • Users can not login to Scylla nodes, Monitoring, or Manager servers; enforced using IP/port whitelist.

  • Scylla Monitoring can only access Scylla DB servers monitoring and log collection APIs; enforce using IP/port whitelist.

  • Scylla Manager can only access Scylla DB servers Manager Agent API; enforced using IP/port whitelist.

  • Access backup, stored on S3 (AWS) and Cloud Storage (GCP), is limited to the Scylla cluster instances```

Access Control

Scylla Cloud team access to the system is:

  • Limited to a minimal subset of Scylla Support engineered

  • Only does via tools / scripts

  • Audited

The above is valid to both Scylla DB Clusters and Control Plan. In particular, direct access to the Database servers is done as a last resort.

Encryption

Encryption at transit

The following channels are encrypted:

  • Scylla Node to Node in the same region - using on AWS VPC Encryption in transit or GCP VPC Encryption in transit

  • Scylla Node to Node between regions - All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. All traffic between AZs is encrypted.

  • Scylla Client to Node - inside AWS, encrypted by default by AWS (see above). Scylla-managed Encryption at transit is optional.

Encryption at rest on AWS

Scylla Cluster uses NVMe to store information. The data on NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are managed by EC2 and generated using the hardware module and are unique to each NVMe instance storage device.

Encryption at rest on GCP

Scylla Cluster uses SSD to store information. Compute Engine automatically encrypts your data when it is written to local SSD storage space