Redis Enterprise

Technology

A Foundational Look at Redis Enterprise

Redis Enterprise: A Secure Database

Redis Enterprise architecture is built to provide a great deal of control to help you meet your security standards and regulations. It provides separate paths for administrative access and data access, which helps simplify compliance. The use of separate paths means that administrators do not get direct access to customer data. It also means that applications and developers can have full access to read and write data without acquiring cluster administration privileges that may impact other databases/applications utilizing the same cluster.

  • Administrative Path: All the management and control operations on the Redis Enterprise cluster are performed through a dedicated and secure API that is resistant to attacks and provides better control of cluster admin operations. Redis Enterprise Administrators can:
    • Change cluster topology- add or remove nodes or upgrade them
    • Manage databases- create and delete databases, change how resources are allocated to databases and their shards or change settings such as adding or removing replication
    • Change settings of the cluster- manage credentials, alert settings, connection management, watchdog policies, etc.

 

  • Data Access Path: Data access is engaged for performing operations on data in a given database using the Redis API. Redis Enterprise inherently blocks all the Redis commands that control the configuration of the database, e.g. a CONFIG SET operation is blocked. Each database in the system can be isolated using distinct credentials, so that each identity can access only a subset of the databases. Databases in Redis Enterprise can be organized to isolate all activity to a separate set of nodes. In full isolation, shards, connections and processing of databases workloads can happen on a completely isolated set of nodes of the same cluster, in steady state.

The data-path and control-path separation is shown in the figure below:

Cluster Architecture Symmetric-Architecture Security Diagram

Multi-Layer Security

Redis Enterprise provides multi-layer security configuration, as detailed in the table below:

Category Feature Details
Access control AWS security group – allows only application with the same security group configuration to access the database Applicable in Redis Enterprise Cloud deployment
A Redis Enterprise cluster node can only talk with other nodes residing on the same cluster
Only reserved ports are available to the outside world Per this list
Authentication UI/API SSL authentication
UI/API user/password authentication
Database SIP authentication
Database SSL authentication
Database password authentication
Authorization Role based authorization for UI/API operations
LDAP support Applicable in Redis Enterprise software deployment
Forensics Admin action logging,

monitoring & alerting for forensics

Encryption Data in transit
  • Client<>Redis – SSL/TLS
  • Inter cluster (between cluster’s nodes) – IPSec
  • Across-cluster – SSL/TLS
Data at rest (storage encryption) Based on cloud provider capabilities. Available as a package for Redis Enterprise software
Availability TCP connection flood
Blocked Redis API configuration commands Per this list
Redis network buffer overflow
Redis slave buffer overflow
Redis pub/sub buffer overflow
Lua memory overflow
Blocking Lua script from accessing the host
Protection against Out Of Memory (OOM) events
CPU throttling when max CPU reached
Shard(s) migration when node utilization reached
Shard(s) isolation

 


Next Section ► Overview of Redis Enterprise Technology