I have a Google Alert set to watch for Elasticsearch news and by far the most common theme lately is leaked data from unsecured Elasticsearch instances. Though it’s troubling and a black eye for Elasticsearch as a technology, it’s not terribly surprising; the oss release of Elasticsearch comes with no security features whatsoever. Currently the responsibility lies with the user to either place Elasticsearch in a locked down environment, purchase a commercial add-on for security, or leverage 3rd party tools to enhance the security of Elasticsearch.
We’ve been offering hosted Elasticsearch as a service at ObjectRocket for a long time now, and have always strived to protect the datastore as much as possible. On our current service, you’re able to limit access via user roles and user/password auth as well as lock down access to only approved source IP addresses and ranges. However, when we rebuilt the Elasticsearch offering on our new platform (currently in Beta), we had the opportunity to rethink how we provide security. It became apparent pretty quickly that the best solution was Search Guard.
What is Search Guard?
Search Guard is an Open Source security plugin for Elasticsearch and the entire ELK stack that offers encryption, authentication, authorization, audit logging, multi-tenancy, and compliance features. There’s a lot to digest in that first sentence, so I’ll break down the key features that Search Guard brings to the table:
- SSL/TLS: SSL/TLS plugin for Elasticsearch for node-to-node transport layer encryption, and https support on the REST layer.
- Role-Based Access Control: Assign users to roles that govern which Elasticsearch APIs they can use and what level of access they have.
- Index-level Permissions: In the community edition, you can even specify granular permissions on a per-index level.
- Free and Open Source: All of the features above (and more) are available in the community version which is open source, Apache 2.0 licensed, and goes well beyond what Elasticsearch and the ELK stack offer out of the box.
- Enterprise and Compliance Features: If you want to take the capabilities further, Document/Field level security, Active Directory/LDAP/JWT integration, Kibana Multitenancy, and PCI-DSS/HIPAA/GDPR compliance and more are all available with a license. All code, including the licensed components, is still open and available online.
The bottom line is that Search Guard provides absolutely necessary security in a free and Open Source package.
Why We Choose Search Guard
When setting out to rebuild our hosted Elasticsearch offering, we had some bare minimum requirements for whatever solution we used:
- Hot Reloads: We need to be able to add/modify/remove users while the cluster is running.
- Elasticsearch TLS and RBAC: We need the ability to encrypt traffic and provide multiple users and roles for connecting to Elasticsearch, similar to our current offering.
- Kibana Auth: We need a solution that provided authentication in front of Kibana.
- Open Source: The tool must meet our minimum needs with permissively licensed open source software.
- Feature Upside: We need a solution that enabled us to offer even more features than we do today.
- Fast Updates: Our security solution must be able to keep up with the fast Elasticsearch release cycle.
As you can see Search Guard met all of those needs and more. Not only have we found open source tools that meet our needs, but we’ve found a partner that’s worked with us through the development of the new platform. They’ve been responsive and engaged every step of the way.
Even More is Possible with Search Guard
The Search Guard team at Floragunn have done a great service to the community by providing all of the features above in a free open source package. They provide much needed security features in Elasticsearch and help anyone improve the security of their Elasticsearch installation. However, for those who want a little more, we’ve partnered with Search Guard to offer the Enterprise and Compliance Editions.
We’re still in Beta on the new platform, so we haven’t yet integrated Enterprise/Compliance features and licensing into the UI. However, we do have the ability to test and enable components of these editions for customers interested in adopting them on our new platform, once we’ve gone into General Availability. Also, as we move forward, you can expect to see further integration and options for purchasing the Enterprise and Compliance editions on the ObjectRocket service.